Environment

• EDR Server:  7.4 and higher
• EDR Windows Sensor: 7.2 and higher

Question

Answer

• Tamper Protection can be enabled per-group in the EDR Console > Sensors >  Edit Group Settings > Advanced.  Modify the Tamper Protection Level to Protection, Detection or Disable.  
• No performance impact on the endpoints.
• In Protect mode the following files are protected:

* Starting/stopping the CB Windows sensor services
* Modifying the C:\Windows\CarbonBlack files; Users have no access
* Modifying C:\Windows\system32\drivers\cbk7.sys and cbstream.sys
* Modifying C:\Program Files (x86)\CarbonBlack\CbEDRAMSI.dll
* Modifying C:\Program Files\CarbonBlack\CbEDRAMSI.dll
* Modifying CarbonBlack registry keys

Additional Notes

• Review the knowledge base article EDR: Which Sensor directories need exclusion from third-party anti-virus scans to make sure that the latest Carbon Black EDR Windows sensor exclusions are in place before enabling Tamper Protection. 
• Minimum requirements are Windows 10 v1703 (Desktop) or Windows Server v1709 (Windows build 15163).   Any Windows sensor in a sensor group that has Tamper Protection applied and that does not meet the minimum OS requirements will default to Tamper Detection.
• Enabling Tamper Protection on both Carbon Black App Control and Carbon Black EDR does not provide extra protection. We recommend that you disable Carbon Black App Control enforcement of Tamper Protection after Carbon Black EDR Tamper Protection enforcement is in place.
• Download and review Engineering Overview of Tamper Protection document:  https://transfer.vmware.com/download?domain=carbonblack&id=d3c24998d3f442bc8e9dcd202652d7e9&out=zip
• Review Managing Sensors > Tamper Protection of Windows Sensors in the 7.7 User Guide or higher for details on configuration fields for the new Tamper Protection Feature.

Related Content

• EDR: How to Enable Tamper Detection or Tamper Protection
• Tamper Protection of Windows Sensors
• Advanced Settings